我正在使用PreparedStatement
在SQL中編寫一些代碼以幫助進行SQL注入。Java中的PreparedStatement包含數據庫和列名稱的變量
例子:
stm = c.prepareStatement("UPDATE "
+ listResults.get(i).get(TemplateFile.TYPEOFPLAY).toLowerCase()
+ " SET score=? WHERE player_name_fkey=? AND school_name_fkey=? AND tournament_number=?;");
stm.setInt(1, Utilities.readNumber(listResults.get(i).get(TemplateFile.TOURNAMENT + j - 1)));
stm.setString(2, listResults.get(i).get(TemplateFile.NAME));
stm.setString(3, listResults.get(i).get(TemplateFile.SCHOOL_NAME));
stm.setInt(4, j);
我的問題是:有沒有辦法讓PreparedStatement對象允許參數(簽名了嗎?)要用於數據庫名稱和列。 例如:
stm = c.prepareStatement("UPDATE ? SET score=? WHERE player_name_fkey=? AND school_name_fkey=? AND tournament_number=?;");
stm.setString(1, listResults.get(i).get(TemplateFile.TYPEOFPLAY).toLowerCase());
stm.setInt(2, Utilities.readNumber(listResults.get(i).get(TemplateFile.TOURNAMENT + j - 1)));
stm.setString(3, listResults.get(i).get(TemplateFile.NAME));
stm.setString(4, listResults.get(i).get(TemplateFile.SCHOOL_NAME));
stm.setInt(5, j);
它看起來好多了,並且更容易讀爲好。
在此先感謝您的幫助!
謝謝你給出了非常有益的答案! –